Browse by Tags
All Tags »
Quest AD Cmdlets (
RSS)
A member of my team came in this morning with a scripting request: "If we ran a full backup on all of our servers (fixed disks), how much disk space would they all consume altogether? We need to give the boss a ‘ball-park number’ by the end of the day!" So, how can we get that number? Here’s a quick & dirty version. 1. Get all computers objects (names only). We keep our servers in a dedicated OU in active directory. 2. Run a WMI query on all servers and subtract each fixed disk FreeSpace...
Updating an attribute value in Active directory is usually not a big deal. Most of the attributes are single valued and you can easily modify them. However, dealing with multi valued attributes is another game. With Quest AD cmdlets you don’t have to pull your hair out, there is special syntax for working with multi valued attributes and you use it via the ObjectAttributes parameter. The syntax is as follows (nested hashtable): Set-QADUser -Identity <Identity> -ObjectAttributes @{ AttributeName...
When you create new Organizational Units in Active Directory Users And Computers (ADUC) in Server 2008 (or with RSAT on 2003 domains), ADUC gives you the option to protect the OU from accidental deletion. When this option is selected, ADUC updates the security descriptor of the object and, potentially, its parent, with Deny ACE for the Everyone domain group, which denies all administrators or users of this domain and domain controller the ability to delete this object. Note: This setting does not...
My morning task today includes the following: get all mailboxes (Exchange 2003) larger than X megs where the associated user mailbox storage limits are overriding the settings of the Mailbox store. Storage limit information for user accounts is available in Active Directory Users and Computers on the user ‘Exchange General’ tab (click on ‘Storage Limits’ at the bottom). The ‘Storage Limits’ dialog box specifies the mailbox storage limits for warning or prohibiting a mailbox-enabled user from sending...
I got several requests to publish the latest version of a script I wrote once to retrieve all mail enabled user accounts that have the password configured to never expire. Once the accounts are retrieved, based on the DaysToExpire variable value, a mail message is sent to the users stating that their password will expire in X days. Notice that the script requires the latest version of Quest AD cmdlets and is also compatible with PowerShell version 1 or 2. $ReqVersion = [ version ] " 1...
The following script lists all the groups or users that have been delegated as exchange admins at the organizational level. There are three types of administrative roles: Exchange Full Administrator Exchange Administrator Exchange View Only Administrator $cnc = ( Get-QADObject ( Get-QADRootDSE ).ConfigurationNamingContext).DN $DN = " CN=Microsoft Exchange,CN=Services,$cnc " Get-QADPermission $DN -Inherited -SchemaDefault | ` Where-Object { $_ .Rights.value__ -match ' 983551|131220...
I was tasked this morning with the following: Get all groups from Active Directory and produce a report that includes each group Name,distinguishedName, the type of the group, its scope, mail address, description and group membership count. Armed with Quest's AD cmdlets I wrote the following. It took 3 minutes to write the code and send it to my manager with PowerShell v2 Send-MailMessage cmdlet: Get-QADGroup -SizeLimit 0 | Select-Object Name , DN , GroupType , GroupScope ,@{Name = " MemberCount...
Few days ago I got a request from a reader of my blog: "I found the WMI commands to get info from Exchange 2003 servers and the following gets me the displayname, servername, storagegroupname, and storename but am I able to get the SamAccountName? Do you know any way?" Get-WmiObject -Class Exchange_Mailbox -NameSpace root\microsoftexchangev2 -ComputerName ExchangeServer | Sort-Object Mailbox DisplayName | Format-Table MailboxDisplayName , ServerName , StorageGroupName , StoreName , Size...
Earlier today a colleague of mine asked me for a script solution: "I want to get all users that cannot change their password from Active Directory but I can't find any attribute on the user account with that info." Correct, there is no such attribute. When a user account is set with the 'User cannot change password' account option, two (Deny) Access Control Entries (ACEs) are added to the account in question: 1. Deny for the user account (SELF) 2. Deny for everyone else (Everyone...